Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations.

- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.

src/Zastava/StellaOps.Zastava.Observer/AGENTS.md

@@ -20,7 +20,7 @@ Implement the node-level observer that monitors running workloads, detects drift
 - Any runtime-specific design notes referenced in `TASKS.md`.
 
 ## Working Agreement
-1. **Status updates**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work.
+1. **Status updates**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` when starting/finishing work.
 2. **Surface compliance**: rely on Surface libraries for cache/env/secret handling; run validators before collecting evidence.
 3. **Deterministic evidence**: normalise timestamps, hashes, and paths; ensure outputs remain stable for replay/audit.
 4. **Security**: enforce Authority scopes (OpToks, mTLS/DPoP), redaction of sensitive fields, and namespace isolation.

src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md

@@ -21,7 +21,7 @@ Operate the Kubernetes admission webhook enforcing image/SBOM/attestation polici
 - `docs/modules/devops/runbooks/zastava-deployment.md`
 
 ## Working Agreement
-1. **Task state**: update `docs/implplan/SPRINTS.md` and local `TASKS.md` to `DOING`/`DONE` as you start or complete work.
+1. **Task state**: update corresponding sprint file `docs/implplan/SPRINT_*.md` and local `TASKS.md` to `DOING`/`DONE` as you start or complete work.
 2. **Surface usage**: fetch cache manifests via Surface.FS, configuration via Surface.Env, secrets via Surface.Secrets; run validators before enforcing policies.
 3. **Deterministic verdicts**: avoid non-deterministic data in admission responses; include explain traces referencing evidence IDs.
 4. **Security**: enforce mTLS, Authority OpTok scopes, and tenant context; audit all allow/deny decisions.

src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md

@@ -20,7 +20,7 @@ Maintain shared domain models, policy evaluation helpers, and event contracts us
 - `docs/modules/devops/runbooks/zastava-deployment.md`
 
 ## Working Agreement
-1. **Status alignment**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` at start/finish.
+1. **Status alignment**: mark tasks `DOING`/`DONE` in both sprint file `/docs/implplan/SPRINT_*.md` and local `TASKS.md` at start/finish.
 2. **Compatibility**: version event schemas/models; provide migration notes and ensure Observer/Webhook consumers stay in lock-step.
 3. **Determinism**: avoid wall-clock or random values in shared models; normalise timestamps; maintain canonical ordering.
 4. **Security & tenancy**: include tenant identifiers and audit fields where required; document contract changes for other guilds.